Merge pull request #6021 from hashicorp/f-anonymous-policy-access

api: Update policy endpoint to permit anonymous access
hashicorp · Nov 20, 2019 · 32c828a · 32c828a
2 parents bb729f2 + 8389af6
commit 32c828a
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 3 deletions.
diff --git a/nomad/acl_endpoint.go b/nomad/acl_endpoint.go
@@ -220,9 +220,10 @@ func (a *ACL) GetPolicy(args *structs.ACLPolicySpecificRequest, reply *structs.S
 		return structs.ErrPermissionDenied
 	}
 
+	// If the policy is the anonymous one, anyone can get it
 	// If it is not a management token determine if it can get this policy
 	mgt := acl.IsManagement()
-	if !mgt {
+	if !mgt && args.Name != "anonymous" {
 		snap, err := a.srv.fsm.State().Snapshot()
 		if err != nil {
 			return err

diff --git a/nomad/acl_endpoint_test.go b/nomad/acl_endpoint_test.go
@@ -15,6 +15,7 @@ import (
 	"github.com/hashicorp/nomad/nomad/structs"
 	"github.com/hashicorp/nomad/testutil"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func TestACLEndpoint_GetPolicy(t *testing.T) {
@@ -28,10 +29,14 @@ func TestACLEndpoint_GetPolicy(t *testing.T) {
 	policy := mock.ACLPolicy()
 	s1.fsm.State().UpsertACLPolicies(1000, []*structs.ACLPolicy{policy})
 
+	anonymousPolicy := mock.ACLPolicy()
+	anonymousPolicy.Name = "anonymous"
+	s1.fsm.State().UpsertACLPolicies(1001, []*structs.ACLPolicy{anonymousPolicy})
+
 	// Create a token with one the policy
 	token := mock.ACLToken()
 	token.Policies = []string{policy.Name}
-	s1.fsm.State().UpsertACLTokens(1001, []*structs.ACLToken{token})
+	s1.fsm.State().UpsertACLTokens(1002, []*structs.ACLToken{token})
 
 	// Lookup the policy
 	get := &structs.ACLPolicySpecificRequest{
@@ -53,7 +58,7 @@ func TestACLEndpoint_GetPolicy(t *testing.T) {
 	if err := msgpackrpc.CallWithCodec(codec, "ACL.GetPolicy", get, &resp); err != nil {
 		t.Fatalf("err: %v", err)
 	}
-	assert.Equal(t, uint64(1000), resp.Index)
+	assert.Equal(t, uint64(1001), resp.Index)
 	assert.Nil(t, resp.Policy)
 
 	// Lookup the policy with the token
@@ -70,6 +75,20 @@ func TestACLEndpoint_GetPolicy(t *testing.T) {
 	}
 	assert.EqualValues(t, 1000, resp2.Index)
 	assert.Equal(t, policy, resp2.Policy)
+
+	// Lookup the anonymous policy with no token
+	get = &structs.ACLPolicySpecificRequest{
+		Name: anonymousPolicy.Name,
+		QueryOptions: structs.QueryOptions{
+			Region: "global",
+		},
+	}
+	var resp3 structs.SingleACLPolicyResponse
+	if err := msgpackrpc.CallWithCodec(codec, "ACL.GetPolicy", get, &resp3); err != nil {
+		require.NoError(t, err)
+	}
+	assert.EqualValues(t, 1001, resp3.Index)
+	assert.Equal(t, anonymousPolicy, resp3.Policy)
 }
 
 func TestACLEndpoint_GetPolicy_Blocking(t *testing.T) {